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The Operational Transformation (OT) approach, used in many collaborative editors, allows a group 
of users to concurrently update replicas of a shared object and exchange their updates in any order. 
The basic idea of this approach is to transform any received update operation before its execution on 
a replica of the object. This transformation aims to ensure the convergence of the different replicas 
of the object, even though the operations are executed in different orders. However, designing 
transformation functions for achieving convergence is a critical and challenging issue. Indeed, the 
transformation functions proposed in the literature are all revealed incorrect. 

In this paper, we investigate the existence of transformation functions for a shared string altered 
by insert and delete operations. From the theoretical point of view, two properties - named TP1 and 
TP2 - are necessary and sufficient to ensure convergence. Using controller synthesis technique, we 
show that there are some transformation functions which satisfy only TP1 for the basic signatures of 
insert and delete operations. As a matter of fact, it is impossible to meet both properties TP1 and TP2 
with these simple signatures. 

1 Introduction 

Collaborative editing systems (CESs for short) constitute a class of distributed systems where dispersed 
users interact by manipulating some shared objects like texts, images, graphics, XML documents, etc. 
To improve data availability, these systems are based on data replication. Each user has its local copy 
of the shared object and can access and update its local copy. The update operations executed locally 
are propagated to other users. Update operations are not necessarily executed in the same order on the 
object replicas, which may lead to a divergence (object replicas are not identical). For instance, suppose 
two users u\ and U2 working on their own copies of a text containing the word "efecte". User u\ inserts 
'/' at position 1, to change the word into "effecte". Concurrently, user 112 deletes element at position 5 
(i.e., the last V), to change the word into "eject" . Each user will receive an update operation that was 
applied on a different version of the text. Applying naively the received update operations will lead to 
divergent replicas ( "effece" for user u\ and "effect" for user u%, see Fig{T]). 

Several approaches are proposed in the literature, to deal with the convergence of replicated data: 
Multi- Version (MV), Serialization-Resolution of Conflicts (SRC), Commutative Replicated Data Type 
(CRDT), Operational Transformation (OT), etc. 

The multi-version approach [1], used in CVS, Subversion and ClearCase, is based on the paradigm 
"Copy-Modify-Merge". In this approach, update operations made by a user are not automatically 
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propagated to the others. They will be propagated only when the user call explicitly the merge function. 
It would be interesting to propagate automatically, to all others, each update operation performed by a 
user. This is the basic idea of SRC. 

To achieve convergence, SRC imposes to execute the operations in the same order at eveiy site. 
Therefore, sites may have to undo and execute again operations, as they receive the final execution order 
of update operations. This order is determined by a central server fixed when the system is launched 
(central node). For the previous example, this approach requires that sites of both users execute the two 
operations in the same order. However, even if we obtain an identical result in both sites, the execution 
order imposed by the central site may not correspond to the original intention of some user. For instance, 
executing, in both sites, the operation of u\ followed by the one of U2 results in the text "effece", which 
is inconsistent with the intention of U2- 

The Commutative Replicated Data Type (CRDT) is a data type where all concurrent operations 
commute with each other J9). In such a case, to ensure convergence of replicas it suffices to respect the 
causality principle (i.e., whenever an operation o' is generated after executing another operation o, o is 
executed before o' at every site). The main challenge of CRDT is designing commutative operations for 
the data type. The commonly used idea consists in associating a unique identifier with the position of 
each symbol, line or atom of the shared document and when an insert operation is generated, a unique 
identifier is also associated with the position parameter of the operation. The position identifiers do not 
change and are totally ordered w.r.t. <. Symbols, lines or atoms of the document appear in increasing 
order w.r.t. their identifiers. Managing position identifiers is a very important issue in this approach as 
the correctness is based on the unicity of position identifiers and the total order preservation. Ensuring 
unicity may induce space and time overheads. Let us apply this paradigm to the previous example. 
A unique identifier is associated with each symbol of the initial text: "(e,3) (f,6) (e, 8) (c,9) (t,9.5) 
(e,10)". A unique identifier between 3 and 6 is affected to position 1 of the operation of u\. Let 4.5 
be the selected identifier. The identifier affected to position 5 of the delete operation of ui is 10. Both 
execution orders of operations of u\ and 112 lead to the text "(e,3) (f,4.5) (f,6) (e, 8) (c,9) (t,9.5)". CESs 
like TreeDoc 0, Logoot ED. Logoot-Undo HH and WOOT flU are based on CRDT paradigm. In this 
approach, all concurrent operations are commutative. So, the different orders of their execution lead to 
the same state. 

Operational transformation (OT) proposed by ||5] is an approach where the generated concurrent 
operations are not necessarily commutative. Their commutativity is forced by transformation of 
operations before their execution. More precisely, when a site receives an update operation, it is first 
transformed w.r.t. concurrent operations already executed on the site. The transformed operation is then 
executed on the local copy. This transformation aims at assuring the convergence of copies even if users 
execute the same set of operations in different orders. OT is based on a transformation function, called 
Inclusive Transformation (IT), which transforms an update operation w.r.t. another update operation. 
For the previous example, when u\ receives the operation of U2, it is first transformed w.r.t. the local 
operation as follows: IT (Del (5), Ins (1, /)) =Del(6). The deletion position is incremented because u\ 
has inserted a character at position 1, which is before the character deleted by U2- Next, the transformed 
operation is executed on the local copy of u\. In a similar way, when «2 receives the operation of u\, it 
is transformed as follows before its execution on the local copy of u-i'. IT (Ins (1, /), Del (5)) = Ins(\,f). 
In this case, it remains the same because / is inserted before the deletion position of operation of U2 (see 
Figf2]). We can find, in the literature, several IT functions: Ellis's algorithm |5], Ressefs algorithm iflOl . 
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Sun's algorithm Ifl4l . Suleiman's algorithm ifTTTl and Imine's algorithm [6]. However, all these functions 
fail to ensure convergence 



In this paper, we investigate the existence of IT functions ensuring convergence for shared strings 
based on the classical signatures of update operations. Section |2] is devoted to OT and IT functions 
proposed in the literature. For each IT function, we provide, at this level, a counterexample for the 
convergence property. In Section [3] we show, using a controller synthesis technique, that there is no IT 
function based on the classical signatures of update operations, which ensures convergence. Conclusion 
goes in Section 01 
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Figure 1 : Integration without transformation. 
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Figure 2: Integration with transformation. 



2 Operational Transformation Approach 
2.1 Background 

OT considers n sites, where each site has a copy of the collaborative object (shared object). The shared 
object is a finite sequence of elements from a data type srf (alphabet). It is assumed here that the shared 
object can only be modified by the following primitive operations: 

G = {Ins(p,c) \c£srf and p£N}U {Del(p) \p € N} U {NopQ} 
where Ins(p,c) inserts the element c at position p; Del(p) deletes the element at position p, and Nop{) 
is the idle operation that has null effect on the object. 

Each site can concurrently update its copy of the shared object. Its local updates are then propagated 
to other sites. When a site receives an update operation, it is first transformed before its execution. 
Since the shared object is replicated, each site will own a local state / that is altered only by operations 
executed locally. The initial state of the shared object, denoted Iq, is the same for all sites. Let Jz? be 
the set of states. The function Do : & X JSf — > Jzf ', computes the state Do(o,l) resulting from applying 
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operation o to state /. We denote by [oi;02', ...;o m ] an operation sequence. Applying an operation 
sequence to a state / is defined as follows: (i) Do ([],/) = /, where [] is the empty sequence and; 
(ii) Do([S;o],l) = Do(o,Do(S,l)), S being an operation sequence. 

Two operation sequences Si and S2 are equivalent, denoted S\ = S2, iff Do(S\,l) = Do(S2,l) for all 
states /. 

Concretely, OT consists of the integration procedure and the transformation function, called 
Inclusive Transformation (IT function). The integration procedure is in charge of executing up- 
date operations, broadcasting local update operations to other sites, receiving update operations 
from other sites, and determining transformations to be performed on a received operation before 
its execution. The transformation function transforms an update operation w.r.t. another up- 
date operation o' (IT(o,o')). Let S = [o\,02', ■ ■ ■ ;o m ] be a sequence of operations. Transforming 
any editing operation w.r.t. S is denoted IT*(o,S) and is recursively defined by: 7T*(o, []) = 
0, where [] is the empty sequence, and IT*(o, [01502; ... \o m \) = lT*(IT(o,o\), [02, ■ ■ ■ ;o m ]). By defini- 
tion: IT(Nop(),o) =Nop() and IT(o,NopQ) = for every operation o. 

2.2 Integration procedures 

The integration procedure is based on two notions: concurrency and dependency of operations. Let o\ 
and 02 be two operations generated at sites i and j, respectively. We say that 02 causally depends on o\, 
denoted o\ — > 02, iff: (i) i = j and o\ was generated before 02, or, (ii) i ^ j and the execution of o\ at 
site j has happened before the generation of 02. Operations o\ and 02 are said to be concurrent, denoted 
o\ || 02, iff neither 01 — >■ 02 nor 02 — >■ 01 . As a long established convention in OT-based collaborative 
editors (3 [13], the timestamp vectors are used to determine the causality and concurrency relations 
between operations. A timestamp vector is associated with each site and each generated operation. 
Every timestamp is a vector of integers with a number of entries equal to the number of sites. For a site 
j, each entry Vj [i] returns the number of operations generated at site i that have been already executed on 
site j. When an operation o is generated at site i, a copy V Q of V,- is associated with o before its broadcast 
to other sites. The entry Vi[i] is then incremented by 1. Once o is received at site j, if the local vector 
Vj "dominates'Q V () , then o is ready to be executed on site j. In this case, Vj[i] will be incremented 
by 1 after the execution of o. Otherwise, the o's execution is delayed. Let V 0l and V„ 2 be timestamp 
vectors of o\ and 02, respectively. Using these timestamp vectors, the causality and concurrency rela- 
tions are defined as follows: (i) 01 — > 02 iff V (n M <^o 2 L/]; (ii) 01 || 02 iff V 0s [i] > V Q2 [j] andV 02 [/] > V 0] [j}. 

Several integration procedures have been proposed in the groupware research area, such as dOPT |0, 
adOPTed Ell, SOCT2,4 H2HH], GOTO US and COT [B]]. There are two kinds of integration pro- 
cedures: centralized and decentralized. In the centralized integration procedures such as SOCT4 and 
COT, there is a central node which ensures that all concurrent operations are executed in the same order 
at all sites. In the decentralized integration procedures such as adOPTed, SOCT2 and GOTO, there is 
no central node and the operations may be executed in different orders by different sites. We focus, 
in the following, on the decentralized integration procedures. In general, in such a kind of integration 
procedures, every site generates operations sequentially and stores these operations in a stack also called 
a history (or execution trace). When a site receives a remote operation 0, the integration procedure 



[ We say that V\ dominates V 2 iff V f, Vj [i] > V 2 [i]. 
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executes the following steps: 

1. From the local history S, it determines the equivalent sequence 5' that is the concatenation of 
two sequences 5/, and S c where (i) Sh contains all operations happened before o (according to the 
causality relation defined above), and (ii) S c consists of operations that are concurrent to o. 

2. It calls the transformation component in order to get operation o' that is the transformation of o 
according to S c (i.e. o' = IT*(o,S c )). 

3. It executes o' on the current state and then adds o' to local history S. 

The integration procedure allows history of executed operations to be built on every site, provided that 
the causality relation is preserved. When all sites have executed the same set of operations (stable states), 
their histories are not necessarily identical because the concurrent operations may be executed in different 
orders. Nevertheless, they must be equivalent in the sense that they must lead to the same final state. 

2.3 Inclusive transformation functions 

We can find, in the literature, several IT functions: Ellis's algorithm ||5], Ressel's algorithm iTTOl . Sun's 
algorithm fl4l . Suleiman's algorithm ifTTTl and Imine's algorithm [6]. They differ in the manner that con- 
flict situations are managed. A conflict situation occurs when two concurrent operations insert different 
characters at the same position. To deal with such conflicts, all these algorithms, except the one proposed 
by Sun et al., add some extra parameters to the insert operation signature. 

2.3.1 Ellis's algorithm 

Ellis and Gibbs ||5l are the pioneers of OT approach. They extend operation Ins with another parameter 
pr representing its priority. Concurrent operations have always different priorities. Fig J3] illustrates the 
four transformation cases for Ins and Del proposed by Ellis and Gibbs. 



TT(Ins(pi ,ci,pn), Ins(p 2 ,c 2 ,pr 2 )) = 
"Ins(p\,c\,pn) if(pi<p 2 )V 

(Pi =P2Aci ^c 2 Apri <pr 2 ) 

, Ins{p\ + l,ci,pn) ifpi>p 2 V 

[Pi =P2'\c l =ic 2 )Apri > pr 2 ) 

NopQ otherwise 




Figure 3: IT function of Ellis et al. 
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2.3.2 Ressel's algorithm 

Ressel et al. iflOl proposed an algorithm that provides two modifications in Ellis's algorithm. The first 
modification consists in replacing priority parameter pr by another parameter u, which is simply the 
identifier of the issuer site. Similarly, u is used for tie-breaking when a conflict occurs between two 
concurrent insert operations. As for the second modification, it concerns how a pair of insert operations is 
transformed. When two concurrent insert operations add at the same position two (identical or different) 
elements, only the insertion position of operation having a higher identifier is incremented. In other 
words, the both elements are inserted even if they are identical. What is opposite to solution proposed 
by Ellis and Gibbs, which keeps only one element in case of identical concurrent insertions. Apart 
from these modifications, the other cases remain similar to those of Ellis and Gibb. Fig. [4] illustrates all 
transformation cases given by the algorithm of Ressel et al. IflOl . 



YT(Ins (pi , a , Mi ) , Ins(j>2 , c% , H2) ) = 
n(Ins (j> 1 ,c 1 ,u 1 ),Del(pz)y 
TT(Del(pi),Ins(p2,C2,U2)) 



Ins(pi,a,ui) if pi <P2 V(pi =p 2 Aui <u 2 ) 
Ins(j>i + l,ci,wi) otherwise 
Ins(pi,ci,ui) if Pi < P2 
Ins(pi — \,c\,u\) otherwise 
Del(pi) if pi < p 2 
Del(p\ + \) otherwise 
Del(pi) if pi < P2 
YY{Del(p\),Del(p 2 )) = { Del(p { - 1) if p, > p 2 
NopQ otherwise 



Figure 4: IT function of Ressel et al. 



2.3.3 Sun's algorithm 

Sun et al. lfl4l have designed another IT algorithm, which is slightly different in the sense that it is 
defined for stringwise operations. Indeed, the following operations are used: Ins(p,s,l) to insert string s 
of length / at position p and Del(p, I) to delete string of length / from position p. To compare with other 
IT algorithms, we suppose that / = 1 for all update operations. The IT function in this case is reported at 
Fig. [3 



YT(Ins(p l , ci ),Ins(p 2 , c 2 )) 

n{Ins{px,cx),Del(p 2 )y 

rT(Del(pi),Ins(p 2 ,c 2 )) 



Ins(pi,a) if pi < p 2 
Ins(pi + l,ci) otherwise 
Ins(pi,c l ) if pi < p 2 
Ins(pi — l,ci) otherwise 
Del(pi) ifpi <p 2 
Del(p\ + \) otherwise 
Del(pi) if pi < p 2 
YY{Del(pi),Del(p 2 )) = { Del(p l - 1) if pi > p 2 
NopQ otherwise 



Figure 5: Characterwise IT function of Sun et al. 
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2.3.4 Suleiman's algorithm 

Suleiman et al. ifTTI proposed another solution that modifies the signature of insert operation by adding 
two parameters civ and ap. For an insert operation Ins(p,c,av,ap), av contains operations that have 
deleted a character before the insertion position p. The set ap contains operations that have removed 
a character after or at position p. When an insert operation is generated the parameters av and ap are 
empty. They will be filled during transformation steps. The IT algorithms of Suleiman and al. is given 
in Figure [6] To resolve the conflict between two concurrent insert operations Ins{p,c\,av\,ap\) and 
Ins(p,C2,av2,ap2), three cases are possible: 

1) (av\ C\ap2) ^ 0: character C2 is inserted before character c\, 

2) (ap\ Hav2) ^ 0: character C2 is inserted after character c\, 

3) (av\ C\ap2) = (api Piav2) = 0: in this case characters c\ and C2 are compared (for instance according 
to the lexicographic order) to choose the one to be added before the other. Like the site identifiers and 
priorities, parameters av, ap, comparison of characters are used to tie-break conflict situations. Note that 
when two concurrent operations insert the same character {e.g. c\ = C2) at the same position, the one 
is executed and the other one is ignored by returning the idle operation Nop{). In other words, like the 
solution of Ellis and Gibb 0, only one character is kept. 

if pi < p 2 V 

(pi = P2 Aapi nai»2 / 0)V 
(pi = P2 Aapi C\aV2 = avi Dap 2 = 
Aci > c 2 ) 
if pi > p 2 V 

(pi = P2 Aavi n«p2 y^0)V 
(Pi = P2 Aa/>i HaV2 = av\ C\ap2 = 
Aci < c 2 ) 
otherwise 
if pi < p 2 
otherwise 



Figure 6: IT function of Suleiman and al. 

2.3.5 Imine 's algorithm 

In (6l, Imine and al. proposed another IT algorithm which again enriches the signature of insert operation 
with parameter ip which is the initial (or the original) insertion position given at the generation stage. 
Thus, when transforming a pair of insert operations having the same current position, they compare 
first their initial positions in order to recover the position relation at the generation phase. If the initial 
positions are identical, then like Suleiman and al. IfTTI they compare symbols to tie-break an eventual 
conflict. Fig. |7] gives the IT function of Imine. 



'Ins(pi,c\ ,,avi,api ) 



YT(Ins(p l ,c l ,av l ,ap l ),Ins(p2,C2,av2,ap 2 ))= { Ins(pi + l,ci,avi,api) 



NopQ 

Ins(pi,ci,avi,api U{DeZ(p 2 )}) 
lns(p\ — l,ci,avi U {Del(p2)},ap[ ) 
Del(pi ) if pi < p 2 
Del(p\+\) otherwise 
Del(pi) if pi < p 2 
Del(pi-l) if pi > p 2 
NopQ otherwise 



n(Ins(pi ,ci ,ai>[ ,api ),£W(/> 2 )): 
TT(Del(pi),Ins(p2,C2,av2,ap2)) 

n(Del{pi),Del{p 2 ))-- 
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Ins(pi,c\,ipi) 


if pi < P2 V (pi 
(Pi =P2^ip\ 


= dt Aipi < ip?) V 
= ip2t\c\ < C2) 


Tr(Ins(pi,ci,ipi) : Ins{p2,c 2 ,ip2)) = < 


lns(p l + \,c l ,ip l ) 


if Pi >P2V(pi 


= P2 Aipi > ip2) V 










{p\ =P2 Aipi 


= ipiAci > C2) 








NopQ 


otherwise 




YT(Ins (pi , ci , ip\ ) , Del {j>t))= j 


1 ns (p J 
Ins(pi 


,c\,ip\) ifpi<P2 
— 1, c\ , ip\) otherwise 




n(Del(p 1 ),lns(p 2 ,c 2 ,ip2)) = ' 


\Del(pi) if Pi < P2 
\Del(p\ + i) otherwise 








'Del(pi) 


if pi < p 2 






n(Del( Pl ),Del(p2))= < 


Del(pi-l) 
NopQ 


if pi > P2 
otherwise 







Figure 7: IT function of Imine and al. 



2.4 Consistency criteria 

An OT-based collaborative editor is consistent iff it satisfies the following properties: 

1. Causality preservation: if o\ o 2 then o\ is executed before 02 at all sites. 

2. Convergence: when all sites have performed the same set of updates, the copies of the shared 
document are identical. 

To preserve the causal dependency between updates, timestamp vectors are used. In iflOl . the authors 
have established two properties TPl and TP2 that are necessary and sufficient to ensure data convergence 
for any number of operations executed in arbitrary order on copies of the same object (i.e., decentralized 
integration procedure): For all o\, 02 and 03 pairwise concurrent operations generated on the same state 
(initial state or state reached from the initial state by executing equivalent sequences): 

• TPl: [oi;/7> 2 , 0l )] = [o z ;IT{o u o 2 )). 

. 77>2:/r*( 03 ,h;/7>2,oi)]) =IT*(o 3 ,[o 2 ;IT(ouo 2 )]). 

Property TPl defines a state identity and ensures that if o\ and o 2 are concurrent, the effect of executing 
o\ before o 2 is the same as executing o 2 before o\. Property TPl ensures that transforming 03 along 
equivalent and different operation sequences will give the same operation. By abuse of language, an IT 
function satisfying properties TPl and TP2 is said be consistent. 

Accordingly, by these properties, it is not necessary to enforce a global total order between 
concurrent operations because data divergence can always be repaired by operational transformation. 
However, finding an IT function that satisfies TPl and TPl is considered as a hard task, because this 
proof is often unmanageably complicated. Note that for some centralized integration procedures such as 
SOCT4 and COT, property TPl is a necessary and sufficient to ensure data convergence. 

IT functions of Ellis and Sun do not satisfy the property TPl (see FigJH and Fig© @. 
The pairs of concurrent operations violating TPl are (o\ = Ins(l,f,pri),o 2 = Del(l)) and 
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{o\ =Ins(l,f),02 = Del (I)), respectively. 



site 1 
"efecte' 



o\ =Ins(l,f,pri 







| "effecte" 








Del(l) 



IT(o 2 ,oi)=Del(2) IT{o u o 2 )=Ins(0,f,pn) 



"efecte" 



"feecte" 



Figure 8: Violation of TP1 for Ellis's IT. 




Oi =Ins(lJ) 



Ot = Inst I, e) 







"effct" | 







IT(o 2 ,oi) =Ins(2,e) IT(o u o 2 ) = Ins(2,f) 



"efefct" 



"effect" 



Figure 9: Violation of TP1 for Sun's IT. 
Suleiman's IT satisfies neither TP1 nor TP2 f3)|6]. The counterexample for TP1 is given by 
the pair of operations (o\ = Ins(2,f, {03}, {os}),o 2 = Ins(2,c, {05}, {03})). The corresponding 
scenario, reported at FigfTO] consists of 4 users u\, 112,1*3 and ua, on different sites. Users u\, ui and 
113 have generated and executed locally sequences Si = \o\ = /ns(3,/,0,0)], S2 = [02 = 7/w(2,c,0,0)] 
and S3 = [03 = Del(2);o4 = Ins(2,e,Q,®);os = Del (2)], respectively. Then, user ut, receives suc- 
cessively operations o\ and 02. User 114 receives consecutively operations of S3, 02 and o\. The 
IT function of Suleiman fails to ensure convergence (property TP1 is violated). Indeed, when the 
site of user uj, receives o\, it is first transformed w.r.t. the sequence S3. The resulting operation 
o\ = IT* (01,53) = Ins(3,f, {03}, {05}) is executed locally. When it receives 02, it is successively trans- 
formed w.r.t. S3 (o' 2 = IT* (o 2 , S3) =Ins(2,c,{o 5 },{o 3 })) ando, (i.e., IT(o' 2 , o[) = Ins(3,f, {03}, {05})) 
before its execution. For its part, the site of U4 executes the sequence S3 of W3 without transformation 
but when it receives 02, it is transformed against S3 (i.e.,02 =/T*(o2,S3) = Ins(2,c, {05}, {03})) then 
executed. When it receives operation o\, it is successively transformed w.r.t. S3 (i.e., o\) and o' 2 (i.e., 
IT(o\,o 2 )) before its execution. This scenario leads to a divergence of copies of u 3 and 114. The property 
TPl is then violated. 



Ressel's IT does not satisfy TP2 but satisfies TPl Q. In FigJTTl we report a scenario violating 
property TP2 for the triplet of concurrent operations (o\ = Del(l),02 = Ins (2, 02,112), 03 = Ins (1, 0-3,113)). 

Imine's IT function satisfies TPl but does not satisfy TP2 Q. In FigJT2l we report a scenario violat- 
ing TP2. In this scenario, there are 4 users ui,U2,U3 and U4 on different sites. Users u\, «2 and U3 have 
generated sequences Si = [o\ =Del{2)\, S2 = [oq = Del(2);o2 = Ins(2,c,2)] and S3 = [03 = Ins(2,e,2)], 
respectively. User U2 executes operations oq and 02 then it receives successively operations o\ and 03. 
User U4 receives successively operations oq, o\, 02 and 03. For this scenario, the IT function of Imine 
fails to ensure convergence for copies of users 112 and U4. The property TP2 is violated (see FigfT2l). 
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site of «i 




site of «2 


"eftte" 




"eftte" 



site of u 3 
"eftte" 



site of 114 
"eftte" 



01 = /ns(3,/,0,0) o 2 =Ins(2,c,®,<d) 



o 3 =Del{2) 
04 =/«(2,e,0,0) 
05 = Del(2) 



03 = »e/(2) 
04 = /ns(2,e,0,0) 
05 = £>e/(2) 




o 2 =/r*(o2,[o 3 ;o4;o 5 ]) 



o' 2 = IT*(o 2 ,[o 3 ;o 4 ;o 5 ]) 
o' 2 = Ins(2,c,{o 5 },{o 3 }) 

o\ =IT*(oi,[o 3 ;o 4 ;o 5 ]) 



IT(o 2 ,o[ ) = Ins(3, c, {05 }, {03}) IT(o[ , o' 2 ) = Ins(3,f, {03 }, {05 }) 



"effete" 



"efcfte" 



Figure 10: Violation of TP1 for Suleiman's IT. 




021 = IT (02,01) = Ins(l,c, U2) 012= IT (01,02) = Del (I) 

IT (IT (03, 01), o 2 i) = Ins(2,e,u 3 ) IT(IT(o 3 ,o 2 ),o l2 ) = lns(l,e,u 3 ) 
Figure 11: Violation of TP2 for Ressel's IT (in case 112 < W3). 



site of in 
"eefft" 



01 =Del(2) 



site of u 2 
"eefft" 



o = Del(l) 



site of M4 
"eefft" 



o =Del(l) 



IT* (03 , [o ; o\ ; o' 2 \) = Ins(2, e, 2) IT* (o 3 , [o ; o 2 I o'[] ) = Ins( 1 , e, 2) 



"eceft" 



"eecft" 



site of u 3 
"eefft" 



o 3 = Ins(2, e,2) 




Figure 12: Violation of TP2 for Imine's IT. 
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s1 



chooselT:int[0,5] 
getChosenlT(chooselT) 



sO 



op1 : opr t, p1 : p_t, c1 : symbj, 
op2: opr t, p2:p_t, c2: symbj 
(op1==Del imply c1==vide) && 
(op2==Del imply c2==vide) 



op1 : opr_t, p1 : p_t, c1 : symb_t, 
op2: opr_t, p2: p_t, c2: symb_t, 
op3: opr_t, p3: p_t, c3: symb_t 



s1 



o1 .op=op1 , o1 .p=p1 , o1 .c=c1 , 
o2.op=op2, o2.p=p2, o2.c=c2 



(op1==Del imply c1==vide) && 
(op2==Del imply c2==vide) && 
(op3==Del imply c3==vide) 



ip1:int[-1,1], ip2:int[-1,1] 
IT1(o1,o2,o12,isNop,ip1), 
IT1(o2,o1,o21,isNop, ip2), 
VerifyTPI () 



isNop:Bool, 



o1 .op=op1 , o1 .p=p1 , o1 .c=c1 , 
o2.op=op2, o2.p=p2, o2.c=c2, 
o3.op=op3, o3.p=p3, o3.c=c3, 
IT2(o1,o2,o12), IT2(o2,o1,o21), 
IT2(o3,o1,o31), IT2(o3,o2,o32), 



V 




IT2(o31 ,o21 ,o31 21 ), IT2(o32,o1 2,o321 2), 
VerifyTP2() 




s2 



Figure 13: Synthesize an IT for TP1 Figure 14: Synthesize a consistent IT function 

3 Controller synthesis of consistent IT functions 

Given the model of some system and a property to be satisfied. Controller synthesis addresses the 
question of how to limit the behavior of the model so as to meet the property. In such a framework, 
the model consists, in general, of controllable and uncontrollable actions (i.e., transitions). The control 
objective is to find, if it exists, a strategy to force the property, by choosing appropriately controllable 
actions to be executed, no matter what uncontrollable actions are executed. We are interested to apply 
the principle of controller synthesis to design an IT function which satisfies properties TP1 and TP2. We 
first investigate whether or not there exist some IT functions which satisfy property TP1. If it is the case, 
we investigate whether or not there exist some IT functions, among those satisfying TP1, which satisfy 



For these investigations, we use the game automata formalism 'a la UPPAAL' J4j. A game automaton 
is an automaton with two kinds of transitions: controllable and uncontrollable. Each transition has a 
source location and a destination location. It is annotated with selections, guards and blocks of actions. 
Selections bind non-deterministically a given identifier to every value in a given range (type). The other 
labels of a transition are within the scope of this binding. A state is defined by the current location and 
the current values of all variables. A transition is enabled in a state iff the current location is the source 
location of the transition and its guard evaluates to true. The firing of the transition consists in reaching its 
destination location and executing atomically its block of actions. The side effect of this block changes 
the state of the system. To force some properties, the enabled transitions that are controllable can be 
delayed or simply ignored. However, the uncontrollable transitions can neither be delayed nor ignored. 

3.1 Do there exist IT functions which satisfy TP1? 

An IT function satisfies property TPl iff for any pair of concurrent operations o\ and o%, it holds 
that \o\\IT(p2',o\)\ = [o2',IT (01,02)]. To verify whether or not there are some IT functions which 



also TP2. 
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satisfy property TP1, we have represented in the game automaton, depicted at FigfT3j the genera- 
tion of operations o\ and 01, the computation of IT(p\,02) and IT(o2,o\), and the verification of 
[o\ ;IT {o2',o\)\ = [02', IT (01,02)]. The generation of operations is specified by the uncontrollable 
transition (so,si), since we have no control on the kinds operations generated by users. The operational 
transformations and the verification of TP1 are represented by the controllable transition (s\,S2)- The 
model starts by selecting two operations o\ and 02. The domain of operations is fixed so as to cover all 
cases of transformations. Afterwards, it chooses two trans formations to apply to o\ w.r.t. 02 and 02 w.r.t. 
o\ and applies them by invoking function ITl. Function IT\(o\,02,o\2,IsNop,ip\) returns in on the 
result of transformation of o\ w.r.t. 02. If IsNop = false then o\2 = Nop(), otherwise the transformation 
of o\ consists in updating the parameter position (o^-P = o\.p + ip{). It means that 4 possibilities are 
offered for transforming an operation o\ w.r.t. another operation 02'. Nop(), decrementing, maintaining, 
or incrementing the position of o\. Finally, the model verifies whether or not the property TP1 is 
satisfied. No matter what operations o\ and 02 generated by the uncontrollable transition, the controller 
synthesis aims to force property TP1 by choosing appropriately the operational transformations. 

We have used the tool Uppaal-Tiga H to verify whether or not there exist some IT functions, which 
satisfy TP1. The safety control objective for TP1 is AG TPl, where TPl is defined in the model as a 
boolean variable whose value is true while the property TPl is satisfied. The boolean variable TPl is set 
to false by the function Verify TPl if [o\;IT (o2,o\)\ ^ [02'JT '(01,02)]. Uppaal-Tiga concludes that the 
property is satisfied, which means that there is, at least, a strategy to force property TPl. We report in 
Table[TJthe different IT functions (satisfying TPl) extracted from the output file of the tool verifytga of 
Uppaal-Tiga. 

Even if some operational transformations satisfy TPl, they are unacceptable from the semantic point 
of view. For instance, if p\ = P2, the operational transformations IT '(Del(pi) ,Del(p2)) = Del(p\ — 
1), IT(Del(p l ),Del(p 2 )) = Del(p Y ) and IT(Del(p l ),Del(p 2 )) = Del(p\ + 1) mean that if two users 
generate concurrently the same delete operation, two symbols will be deleted in each site, which is 
unacceptable from the semantic point of view. The only operational transformation which has a sense 
for this case is IT (Del(p\) ,Del(p2)) =Nop(). It means that only the symbol at position p\ is deleted 
in each site. After eliminating these incoherent operational transformations, it remains 2 possibilities 
for IT(Ins(pi,C[),Ins(p 2 ,c2)),pi = p 2 ,c\ ^ c 2 , and 3 for IT(Ins(pi ,c\),Ins(p2,c2)),p\ = p 2 ,c\ = c 2 . 
Therefore, we can extract 6 IT functions which satisfy TPl. These IT functions differ in the way that 
conflicting operations are managed. 

3.2 Do there exist IT functions which satisfy TPl and TP2? 

An IT function satisfies property TPl iff for any triplet of pairwise concurrent operations 01,02 and 03, 
it holds that IT '(IT '(03,01) ,17 '(02,01)) = IT (IT (03,02), IT (01,02)). To verify whether or not there are 
some IT functions which satisfy properties TPl and TP2, we have used the game automaton depicted 
at FigfJJ] This model starts by selecting an IT function, which satisfies property TPl (the range of 
chooselT corresponds to the 6 IT functions satisfying TPl). Afterwards, it selects three operations 01, 
02 and 03, and performs the transformations needed to verify TP2. Function IT2(o\ ,02,012) applies 
the selected IT function to 01 w.r.t. 02 and returns the result of this transformation in 012. Finally, the 
model calls function VerifyTP2. The control aims to force to choose the appropriate IT function so as to 
satisfy property TP2. The control objective is specified by the CTL formula AG TPl, where TPl is a 
boolean variable whose value is true while the property TP2 is satisfied. This variable is set to false by 
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Table 1: IT functions supplied by Uppctal-Tiga for TP1 and classical signatures of update operations 



°\ 


02 


Ciid(p l ,p2,c l ,c 2 ) 


IT(o x ,o 2 ) 


IT(o 2 ,o x ) 


Ins(pi,ci) 


Ins(p 2 ,c 2 ) 


Pi < P2 


Ins(pi,ci) 


Ins(p2 + \,c 2 ) 


Ins(pi,c\) 


Ins(p 2 ,c 2 ) 


Pi =P2^C\ <c 2 


Ins(pi + l.cj) 


Ins(p 2 ,c 2 ) 


Ins(pi,ci) 


Ins(p 2 ,c 2 ) 


Pi = Pl^C\ <c 2 


Ins(pi,c{) 


Ins(p2 + 1,C2) 


Ins(p u ci) 


Ins(p 2 ,c 2 ) 


Pi =Pl!\C\ =C 2 


Ins(pi +l,ci) 


Ins(p2 + 1,C2) 


Ins(p\,c\) 


Ins(p 2 ,c 2 ) 


Pi =P2^Ci =c 2 


Ins(p x ,c x ) 


Ins(p 2 ,c 2 ) 


lns(p\,c\) 


Ins(p2,C2) 


Pi = P2 A c\ = c 2 


i\op() 


i\op() 


Del(pi) 


Del(p2) 


Pi < P2 


Dei(pi) 


Del (p2 - 1 J 


Del{p\) 


Oel(p2) 




Del (pi - I) 


Del(p 2 - i) 
































Ins(p\,C\) 


Del(p 2 ) 


Pi < Pi 


Ins(pi,ci) 


Del(p 2 + i) 


lns{p\_,c x ) 


Del(p 2 ) 


Pi = P2 


Ins(pi,ci) 


Del{p 2 + l) 


Del(pi) 


Ins(p 2 ,c 2 ) 


Pi < Pi 


Del(pi) 


Ins(p 2 -1,C2) 


Del(pi) 


Ins(p 2 ,c 2 ) 


Pi =P2 


Ins(p\,c\) 


Del{p 2 + l) 



the function Verify TP2 if IT (IT (03 , 01 ) , IT (o 2 , 01 )) / IT (IT (03 , o 2 ) , IT(oi , o 2 ) ) . 



Uppaal-Tiga concludes that the property AG TP2 cannot be forced, which means that there is no 
strategy to force property TP2. In other words, there is no IT function, based on classical parameters of 
delete and insert operations, which satisfies both TP1 and TP2. We have investigated why there is no 
consistent IT function based on the basic parameters of delete and insert operations. This investigation 
has led to isolate two symbolic pairwise scenarios which prevent from getting a consistent IT function. 
We report in Fig |T5] and Figfjjj] these two pairwise sequences named scenario 1 and scenario 2, 
respectively. For scenario 1, to verify TP2, the computed operational transformations are: 
021 =IT(o 2 ,oi) = IT(Ins(p l ,c 2 ),oi) =Ins(p u c 2 ), 
012 =IT(o]_,o 2 ) = IT(Del(pi),Ins(p l ,c 2 )) =Del(p\ + l), 
031 =IT(o 3 ,oi) =Ins(pi,c 3 ), 032 =IT(o 3 ,o 2 ) =lns(p\ +2,c 3 ), 
IT(o 32 ,o n ) =lT(lns(p\ +2,c 3 ),Del(pi + 1)) =lns(p\ + l,c 3 ) and 
IT (03 1 , 021 ) = IT (Ins(p\ , c 3 ) , Ins (pi , c 2 ) ) . 

For the last transformation, we have different possibilities (see Table [T]). To satisfy TP2, we must choose 

IT(Ins(pi,c 3 ),Ins(p u c 2 )) =Ins(p\ + l,c 3 ). 

For scenario 2, the computed operational transformations are: 

021 =IT(o 2 ,oi) =Ins(p\,c 2 ), o 12 =IT(oi,o 2 ) =Del(p{), 

031 =IT(o 3 ,oi) =Ins(p\,c 3 ), 032 = IT (03,02) =Ins(p\,c 3 ), 

IT (032,012) = IT(Ins(p l ,c 3 ),Del(pi)) =Ins(p x ,c 3 ) and 

lT(o 3 \,o 2 \) = IT(Ins(p u c 3 ),Ins(p u c 2 )). 

To satisfy TP2, for the last operational transformation, we must use IT (Ins(p\,c 3 ),Ins(p\,c 2 )) = 
Ins(p l ,c 3 ). 



Consequently, a consistent IT function, if it exists, must have additional parameters in its operation 
signatures. We have seen, in the previous section, different IT functions based on extending the insert 
signature with priority, issuer site, initial position or sets of deleted symbols before and after the position 
of the operation. We have reported divergent scenarios for all these IT functions. It means that the 
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| site 1 1 | site 2 1 

oi=Del(pi) o 2 =Ins(p u c 2 ) 




o 2 = Ins(p\ ,c 2 ) oi = Del(pi) 

03 =Ins(p\ + 1,6-3) 03 =Ins(pi + 1,03) 

Figure 15: Scenario 1 

I silc 1 1 I site 2 1 

0\=Del[p\) o 2 =Ins(p l + l,c 2 ) 




o 2 = Ins(p\ + l,c 2 ) (>i=Del(p\) 
03 =Ins(p l: c 3 ) 03 =Ins(p u c 3 ) 

Figure 16: Scenario 2 

suggested additional parameters are not sufficient or appropriate to ensure convergence. Indeed, adding 
priority (as in Ellis's IT) or owner identifier (as in Ressel's IT) to the insert signature fails to ensure 
convergence for scenarios 1 and 2. Scenario 1 violates TP1 for Ellis's IT (see Figj8]). Scenario 2 violates 
TP2 for Ressel's IT (see FigHTI). For Suleiman's IT and Imine's IT, scenarios 1 and 2 satisfy TP1 and 
TP2 but the added parameters introduce other cases of divergence. 

4 Conclusion 

In this work, we tried to answer the following question: what are all possible IT functions ensuring 
convergence for shared strings altered by insert and delete operations? We have first formulated the 
existence problem of a consistent IT function as a synthesis controller problem. As a main contribution, 
we have shown that only TP1 is satisfied by some IT functions based on the position and character 
parameters. Thus, it is impossible to meet TP2 with these simple signatures. 

Accordingly, the position and character parameters are necessaiy but not sufficient. In other words, 
additional parameters are needed to explore the existence of consistent IT functions. In the near future, 
we will follow the same framework to deal with the following issue: what are the minimal number of 
extra parameters to be added in order to achieve consistent IT functions? 
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